How Does Cyber Insurance Work?
The cost of dealing with a data breach goes beyond repairing databases, strengthening security procedures or replacing lost laptops. Regulations requiring notifications of affected customers also drive costs for companies in which a data breach compromises personal or confidential data. Traditional business insurance may not be enough to protect companies from cyber-crime. But just how does cyber insurance work?
Typically, there are a number of different coverages available. To have the coverage that is right for your company, you and your agent can work together to tailor the coverages based on the specific risks your business faces. Following are some explanations of typical elements of a Travelers cyber insurance policy.
Third-Party (liability) and First-Party Coverage
What it does: Companies have an obligation to keep their customers’ protected health information (PHI) and personally identifiable information (PII) confidential. They may face potential liability if the information is exposed in a data breach. This coverage protects companies for liability to others and reimburses companies for expenses related to a data breach, which could include legal counsel and defense, a digital forensics team, notification costs, crisis communications and setting up a call center and credit monitoring for those affected by the data breach.
Why it’s important: Many companies store their customers’ confidential information, PHI and PII, as well as confidential corporate information, either for themselves or for another company. For example, an employee benefits company may have personnel records for the employees of dozens of companies it serves, which can mean that a single breach presents the potential for a significant liability.
What it does: Claims and events can occur anywhere in the world, and notification requirements differ by location. To help fulfill these requirements, policyholders can access Travelers’ network of forensics, crisis communications and legal experts to address claims made or events occurring anywhere in the world.
Why it’s important: If a company has a data breach, it must follow the privacy laws that govern where its customers live, not just where it is headquartered. This can be costly, confusing and time-consuming for a company without specialized resources.
Distinct Insuring Agreements (with the ability to set limits and retentions for each insuring agreement)
What it does: Having separate insuring agreements allows companies to be covered for different risks, at different levels. This gives companies more protection as companies can choose to set a higher limit for a specific risk, based on their business’ unique needs.
Why it’s important: There are a number of different ways that cyber crime can affect a company, from e-commerce extortion to funds transfer fraud. Having distinct insuring agreements helps protect against a diverse set of risks.
Extended Reporting Period
What it does: This gives companies more time to detect and report a data breach. It extends the reporting period, typically 90 days, and includes crisis management and security breach expense coverage.
Why it’s important: Given the nature of data breaches, a company might not realize that it suffered a breach until after the end of the cyber policy.
First-Party Coverage for Computer Program and Electronic Data Restoration Expenses
What it does: This coverage reimburses companies for expenses related to recovering from damages to computer programs and electronic data.
Why it’s important: Not all cyber claims are related to an actual data breach. For example, malware downloaded from an email could lead to lost, encrypted or otherwise damaged files, requiring expenses to repair and restore.
Business Interruption Coverage
What it does: This coverage applies to expenses and lost revenue due to a computer virus or denial-of-service attack that impairs a computer system.
Why it’s important: While many companies may have business interruption coverage as part of their property coverage, cyber crimes may not be covered.
Your coverage for security breach remediation and notification expenses would include purchasing an identity fraud insurance policy, credit monitoring services, computer forensics and access to a Breach Coach for advice regarding initial breach response.